Next Page >>
community
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco
Industrial Ethernet 3000 Series Switches Vulnerability
Advisory ID: cisco-sa-20100707-snmp
Revision 1.0
Cisco uBR10012 series devices need to communicate with an RF Switch
when configured for linecard redundancy. This communication is based
on SNMP (Simple Network Management Protocol). When linecard
redundancy is enabled on a Cisco uBR10012 series device, SNMP is also
automatically enabled with a default community string of private that
has read/write privileges. Since there are no access restrictions on
this community string, it may be exploited by an attacker to gain
complete control of the device.
Changing the default community string, adding access restrictions on
Title:
======
eFront Community++ v3.6.10 - SQL Injection Vulnerability
Date:
=====
2012-02-11
Title:
======
eFront Community++ v3.6.10 - Multiple Web Vulnerabilities
Date:
=====
2012-02-09
injection via SNMP. Such a technique allowed us to cause a persistent
HTML injection condition on the web management console of several ZyXEL
Prestige router models.
Provided that an attacker has guessed or cracked the write SNMP
community string of a device, he/she would be able to inject malicious
code into the administrative web interface by changing the values of
OIDs (SNMP MIB objects) that are printed on HTML pages.
The purpose behind injecting malicious code into the web console via
SNMP is to fully compromise the device once the page containing the
Title:
======
eFronts Community++ v3.6.10 - Cross Site Vulnerability
Date:
=====
2012-02-07
Aruba Mobility Controller SNMP Community String Disclosure
Product:
Aruba Mobility Controller
http://www.arubanetworks.com/products/mobility_controllers.php
Aruba mobility controller can be monitored via SNMP. It is possible to learn all configured SNMP community strings as long as at least one of them is known to the attacker. This can be accomplished by walking OID branch SNMP-COMMUNITY-MIB::snmpCommunityName (1.3.6.1.6.3.18.1.1.1.2) or SNMP-VIEW-BASED-ACM-MIB::vacmGroupName (1.3.6.1.6.3.16.1.2.1.3).
Today we are excited to announce another community initiative--the Open
Source Software Security community (oss-security). This project is an
ongoing effort to manage security information in Open Source software by
building on the collaborative foundation of the open source model.
The purpose of oss-security is to encourage public discussion of security
flaws, concepts, and practices in the open source community. We don't want
to simply be an information clearinghouse, or to replace any of the current
security lists and groups. The goal is to fill an existing vacuum by
encouraging active participation of those interested in the ideas and
"
Gaining SNMP write access to a device is already a compromise on its own
and usually considered a potential high risk security issue. Therefore,
one could argue that there is no point in launching a SNMP injection
attack when we can already change system settings via the SNMP write
community string. You might be wondering: why bother injecting a
HTML/JavaScript payload on the web console through SNMP when I can
change system parameters via SNMP alone?
In reality however, when a valid SNMP write community is identified, we
find that many OIDs cannot be changed due to read-only settings enforced
Community Server - Stored Cross-site Scripting in user's signature.
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
The vulnerability can be resolved by insuring that the SNMP read community string is set to a secure value.
Securing the Windows SNMP service
DDMI requires the Windows SNMP service for its operation. If necessary DDMI will install and configure the Windows SNMP service using the Windows default security settings. As a result the SNMP read community string may be set to public .
========================================================================
= SugarCRM Community Edition Local File Disclosure Vulnerability
=
= Vendor Website:
= http://www.sugarcrm.com
=
= Affected Version:
= -- SugarCRM Community Edition 4.5.1
= -- SugarCRM Community Edition 5.0.0
=
http://nullcon.net
About null
________
null – The open security community (http://null.co.in) , a non-profit
initiative,
is a community of security professionals who have passion for security
research and contribute towards research and development, knowledge sharing
in the field of computer security.
USA: NY, CT, PA, NJ, DE, MD, VA, NC
Canada: ON
This is your only opportunity now to bring an internationally
acclaimed security and trust expert on timely, sensitive, and highly
critical topics to your organization, community center, school, or
business.
THE SEMINAR SERIES
How great would it be to know how to peel through the lies and
The reported issue DOES NOT AFFECT ANY CURRENT ENOMALY PRODUCT. Our current products are Enomaly ECP Service Provider Edition and Enomaly ECP High Assurance Edition, and neither utilizes the "vmfeed" module.
Specifically, the "vmfeed" module has not been utilized in any version of our products released since the initial release of Enomaly ECP Service Provider Edition in June 2009. The "vmfeed" module was utilized only in our previous-generation "Community Edition" product, which has been deprecated and withdrawn from distribution. Enomaly ECP Service Provider Edition is a completely different product from the old Community Edition.
As a result, since the Community Edition product is deprecated and has been withdrawn, Enomaly has not investigated this reported issue.
Further information on the differences between the deprecated Community Edition technology and our current Service Provider Edition technology can be found at http://src.enomaly.com.
Lars-Erik Forsberg, VP Delivery
Enomaly Inc.
By R&D and security, HES really means new offensive R&D security.
Researchers from all around the internet are welcome to come to
Paris and talk, without discrimination whatsoever : everyone is
equal in front of a computer. Maybe skills appart that is ;)
HES is also an open big party, by the hacking community and for the
hacking community, with people coming literally from around the world.
If you'd like to not only come, but be part of HES by organising a
workshop (lockpickers and organisers of a social engineering contest
wanted !) or contest : please do and refer the relevant section below.
Hi, like last time, we are looking for community input and questions for the
Internet security operations community, to be discussed during ISOI 3.
ISOI is happening this Monday and Tuesday, we will likely compile the responses
in a few weeks.
We will reply to people personally on issues which bother them, and compile a
short text with answers to the community itself.
We tried to do this last time around, and encountered a problem with
interface when the administrator user views pages such as
'/config/configure-systems.html'. The injected code can perform any
actions within the context of the current session (full administrative
rights).
Although usually the SNMP write community string must be guessed/cracked
for a SNMP injection [1] attack to work, some embedded devices come with
SNMP read/write access enabled by default. Some examples include many
ZyXEL Prestige router models [2] used in residential and SOHO networks,
and also products used in corporate and government environments such as
the Proxim Tsunami MP.11 2411 Wireless Point-to-Multipoint System.
http://iseclab.org/badgers2011/
The BADGERS workshop is intended to encourage the development of large
scale security-related data collection and analysis initiatives. It
will provide an environment to describe already existing real-world,
large-scale datasets, and to share with the systems community the
return on experiences acquired by analyzing such collected
data. Furthermore, novel approaches to collect and study such data
sets are welcome.
In contrast to the systems community, security researchers have only
On Tue, 20 May 2008, Viktor Larionov wrote:
> Hi Gadi and all the rest of a community,
>
> I work and live in Estonia, and I was a witness to all happening here,
> especially on the cyber-sphere starting the first day.
>
> Let's skip the details on the political context of your story, which from my
> point of view is far from being neutral, and pass-on to technical part of
> it.
>
The discovery of vulnerabilities in the TCP/IP protocols led to reports
being published by a number of CSIRTs (Computer Security Incident Response
Teams) and vendors, which helped to raise awareness about the threats as
well as the best mitigations known at the time the reports were published.
Much of the effort of the security community on the Internet protocols did
not result in official documents (RFCs) being issued by the IETF (Internet
Engineering Task Force) leading to a situation in which "known"
security problems have not always been addressed by all vendors. In many
cases vendors have implemented quick "fixes" to protocol flaws without
a careful analysis of their effectiveness and their impact on
Yes, we're back with more embedded devices vulnerability research! And
yes, we're also back with more security attacks against the BT Home
Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with
GNUCITIZEN in different projects as we've had very successful
experiences doing so. This time it was Kevin Devine's turn. Kevin, who
is an independent senior security researcher, did an awesome job at
reverse engineering the *default WEP/WPA key algorithm* used by some
Thomson Speedtouch routers including the BT Home Hub. Kevin noticed
All,
Immunet Protect is now in the 4th round of public beta. This is free beta AV
software which has been pre-tested extensively by a portion of the Bugtraq
community and is now available for general download to the rest of the
community.
The general idea is that it allows you to build communities of people and
collectively share your protections. It's uses a series of methods to
convict files, primarily in the cloud.
version : <= 1.2
Vendor : http://www.business-space.org
Description :
BusinessSpace - Social Networking in a Box
BusinessSpace is an enterprise collaboration software designed to stand up to and keep in pace with today’s ever-evolving, rapidly-growing world of online business and entrepreneurship. Enterprise community software has been taken up to another lever by the developers of BusinessSpace separating itself from regular social networking software and community software. BusinessSpace is not just a social network CMS, not just a LinkedIn clone: it’s more than that. BusinessSpace was developed by business people, just like you. This means that this business networking software is laced with the features that a businessman, employer, employee or entrepreneur needs. No fancy community software applications, no fancy profiles: it’s simply strictly business. Because that’s what BusinessSpace enterprise social networking software is all about – business.
Vulnerability:
~~~~~~~~~~~~
Input passed to the "id" parameter in classified.php page is not properly verified before being used
CVE Name: None currently assigned
*Vulnerability Description*
CORE FORCE is the first community oriented security solution for personal
computers that provides a comprehensive endpoint security solution for
Windows 2000 and Windows XP systems.
CORE FORCE provides inbound and outbound stateful packet filtering for
TCP/IP protocols using a Windows port of OpenBSD's PF firewall, granular
=========================
The Shmoo Group (TSG) is an independent think-tank of security
professionals from around the world who donate their time and energy
towards information security research and development. Six years ago
TSG had an idea. This idea has grown into a community recognized
security conference attended by over 1500 people.
Although ShmooCon is primarily a security conference, we encourage
innovative and interesting submissions on offbeat technology topics.
Greatest consideration will be given to new presentations, but updates
SecurityTube.net is pleased to announce the CFP for SecurityTubeCon, the
first hacker conference, to be held completely online!
SecurityTubeCon is aimed at democratizing hacker conferences by allowing
any researcher, regardless of his physical location, to share his work
with the community. Unlike other Cons we will not *accept / reject*
speakers. If you have something interesting to share, you WILL be heard.
The idea behind SecurityTubeCon is not to pass judgments on your work,
instead, it aims at providing a platform for knowledge exchange.
Once speakers send in their talk abstracts, we will put it online for
On Wed, Jan 11, 2012 at 11:50:25AM +0100, advisory@htbridge.ch wrote:
> Advisory ID: HTB23065
> Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_knowledgetree_community_edition.html
> Product: KnowledgeTree Commercial and Community Editions
> Vendor: KnowledgeTree Inc. ( http://knowledgetree.org )
> Vulnerable Version: 3.7.0.2 and probably prior
> Tested Version: 3.7.0.2
> Vendor Notification: 21 December 2011
> Vendor Patch: 23 December 2011
> Vulnerability Type: XSS
present. In most circumstances RED information will be passed
verbally or in person.
# AMBER - Limited distribution. The recipient may share AMBER
information with others within their organization, but only on a
"need-to-know" basis.
# GREEN - Community wide. Information in this category can be
circulated widely within a particular community. However, the
information may not be published or posted on the Internet, nor
released outside of the community.
# WHITE - Unlimited. Subject to standard copyright rules, WHITE
information may be distributed freely, without restriction.
Hi all,
null is proud to announce the launch of it's security & hacking
conference nullcon Goa 2010 nullcon Goa 2010, India's first
'community' driven security & hacking conference will bring together
Security Researchers, security professionals, vendors, CXOs, Law
Enforcements agencies from all over the country to a common platform
to discuss latest research in field of Information Security and in
particular the major security threats faced by everyone today.
Next Page>>
|
